I-Linux: Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-generic x86_64)
- Eth0 1.1.1.1/32 IP yangaphandle
- ipip-ipsec0 192.168.0.1/30 iya kuba yitonela yethu
Miktoik: CCR 1009, RouterOS 6.46.5
- Eth0 10.0.0.2/30 IP yangaphakathi evela kumboneleli. I-IP yangaphandle ye-NAT yomboneleli iyaguquguquka.
- ipip-ipsec0 192.168.0.2/30 iya kuba yitonela yethu
Siza kwenza itonela ye-IPsec kumatshini we-Linux usebenzisa i-racoon. Andiyi kuchaza iinkcukacha, kukho okulungileyo
Faka iipakethe eziyimfuneko:
sudo install racoon ipsec-tools
Siqwalasela i-racoon, iya kusebenza ngokwemiqathango njengomncedisi we-ipsec. Ekubeni i-mikrotik ikwimowudi engundoqo ayinako ukuthumela isichongi somxhasi esongezelelweyo, kwaye idilesi ye-IP yangaphandle edityaniswa ngayo kwiLinux iyaguquguquka, usebenzisa isitshixo ekwabelwana ngaso ngaphambili (ugunyaziso lwegama lokugqithisa) aluyi kusebenza, ekubeni igama lokugqitha kufuneka lithelekiswe nokuba nedilesi ye IP ye umamkeli oqhagamshelayo, okanye ngesichongi.
Siza kusebenzisa isigunyaziso sisebenzisa izitshixo zeRSA.
I-racoon daemon isebenzisa izitshixo kwifomathi ye-RSA, kwaye i-mikrotik isebenzisa ifomethi ye-PEM. Ukuba uvelisa izitshixo usebenzisa i-plainrsa-gen utility ehamba ne-racoon, ngoko awuyi kukwazi ukuguqula isitshixo sikawonkewonke seMikrotika kwifomathi ye-PEM ngoncedo lwayo - iguqula kuphela kwicala elinye: i-PEM ukuya kwi-RSA. Nokuba i-openssl okanye i-ssh-keygen ayinakufunda isitshixo esenziweyo yi-plainrsa-gen, ngoko ke uguqulo alunakwenzeka ukuba lusetyenziswe nabo.
Siza kuvelisa isitshixo se-PEM sisebenzisa i-openssl kwaye emva koko siyiguqulele i-racoon usebenzisa i-plainrsa-gen:
# ΠΠ΅Π½Π΅ΡΠΈΡΡΠ΅ΠΌ ΠΊΠ»ΡΡ
openssl genrsa -out server-name.pem 1024
# ΠΠ·Π²Π»Π΅ΠΊΠ°Π΅ΠΌ ΠΏΡΠ±Π»ΠΈΡΠ½ΡΠΉ ΠΊΠ»ΡΡ
openssl rsa -in server-name.pem -pubout > server-name.pub.pem
# ΠΠΎΠ½Π²Π΅ΡΡΠΈΡΡΠ΅ΠΌ
plainrsa-gen -i server-name.pem -f server-name.privet.key
plainrsa-gen -i server-name.pub.pem -f server-name.pub.key
Siza kubeka izitshixo ezifunyenweyo kwifolda: /etc/racoon/certs/server. Ungalibali ukuseta umnini womsebenzisi phantsi kwegama lakhe i-daemon ye-racoon iqaliswe (ngokuqhelekileyo ingcambu) kwiimvume ze-600.
Ndiza kuchaza ukuseta i-mikrotik xa uqhagamshela ngeWinBox.
Layisha iqhosha le-server-name.pub.pem kwi-mikrotik: Imenyu "Iifayile" - "Layisha".
Vula icandelo elithi "IP" - "IP sec" - "Amaqhosha" ithebhu. Ngoku senza izitshixo - iqhosha elithi "Yenza isitshixo", emva koko uthumele iqhosha likawonkewonke le-mikrotika "Expor Pub. Isitshixo", unokuyikhuphela kwicandelo elithi "Iifayile", cofa ekunene kwifayile - "Khuphela".
Singenisa iqhosha likawonke-wonke le-racoon, "Ngenisa", kuluhlu oluhlayo lwendawo ethi "Igama lefayile" sijonga i-server-name.pub.pem esiyikhuphele ngaphambili.
Isitshixo sikawonke-wonke se-mikrotik kufuneka siguqulwe
plainrsa-gen -i mikrotik.pub.pem -f mikrotik.pub.key
kwaye uyibeke kwifolda /etc/racoon/certs, ungalibali malunga nomnini kunye namalungelo.
iracoon config enezimvo: /etc/racoon/racoon.conf
log info; # Π£ΡΠΎΠ²Π΅Π½Ρ Π»ΠΎΠ³ΠΈΡΠΎΠ²Π°Π½ΠΈΡ, ΠΏΡΠΈ ΠΎΡΠ»Π°Π΄ΠΊΠ΅ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΠΌ Debug ΠΈΠ»ΠΈ Debug2.
listen {
isakmp 1.1.1.1 [500]; # ΠΠ΄ΡΠ΅Ρ ΠΈ ΠΏΠΎΡΡ, Π½Π° ΠΊΠΎΡΠΎΡΠΎΠΌ Π±ΡΠ΄Π΅Ρ ΡΠ»ΡΡΠ°ΡΡ Π΄Π΅ΠΌΠΎΠ½.
isakmp_natt 1.1.1.1 [4500]; # ΠΠ΄ΡΠ΅Ρ ΠΈ ΠΏΠΎΡΡ, Π½Π° ΠΊΠΎΡΠΎΡΠΎΠΌ Π±ΡΠ΄Π΅Ρ ΡΠ»ΡΡΠ°ΡΡ Π΄Π΅ΠΌΠΎΠ½ Π΄Π»Ρ ΠΊΠ»ΠΈΠ΅Π½ΡΠΎΠ² Π·Π° NAT.
strict_address; # ΠΡΠΏΠΎΠ»Π½ΡΡΡ ΠΎΠ±ΡΠ·Π°ΡΠ΅Π»ΡΠ½ΡΡ ΠΏΡΠΎΠ²Π΅ΡΠΊΡ ΠΏΡΠΈΠ²ΡΠ·ΠΊΠΈ ΠΊ ΡΠΊΠ°Π·Π°Π½Π½ΡΠΌ Π²ΡΡΠ΅ IP.
}
path certificate "/etc/racoon/certs"; # ΠΡΡΡ Π΄ΠΎ ΠΏΠ°ΠΏΠΊΠΈ Ρ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠ°ΠΌΠΈ.
remote anonymous { # Π‘Π΅ΠΊΡΠΈΡ, Π·Π°Π΄Π°ΡΡΠ°Ρ ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΡ Π΄Π»Ρ ΡΠ°Π±ΠΎΡΡ Π΄Π΅ΠΌΠΎΠ½Π° Ρ ISAKMP ΠΈ ΡΠΎΠ³Π»Π°ΡΠΎΠ²Π°Π½ΠΈΡ ΡΠ΅ΠΆΠΈΠΌΠΎΠ² Ρ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ°ΡΡΠΈΠΌΠΈΡΡ Ρ
ΠΎΡΡΠ°ΠΌΠΈ. Π’Π°ΠΊ ΠΊΠ°ΠΊ IP, Ρ ΠΊΠΎΡΠΎΡΠΎΠ³ΠΎ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ°Π΅ΡΡΡ Mikrotik, Π΄ΠΈΠ½Π°ΠΌΠΈΡΠ΅ΡΠΊΠΈΠΉ, ΡΠΎ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΠΌ anonymous, ΡΡΠΎ ΡΠ°Π·ΡΠ΅ΡΠ°Π΅Ρ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ΅Π½ΠΈΠ΅ Ρ Π»ΡΠ±ΠΎΠ³ΠΎ Π°Π΄ΡΠ΅ΡΠ°. ΠΡΠ»ΠΈ IP Ρ Ρ
ΠΎΡΡΠΎΠ² ΡΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΈΠΉ, ΡΠΎ ΠΌΠΎΠΆΠ½ΠΎ ΡΠΊΠ°Π·Π°ΡΡ ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΡΠΉ Π°Π΄ΡΠ΅Ρ ΠΈ ΠΏΠΎΡΡ.
passive on; # ΠΠ°Π΄Π°Π΅Ρ "ΡΠ΅ΡΠ²Π΅ΡΠ½ΡΠΉ" ΡΠ΅ΠΆΠΈΠΌ ΡΠ°Π±ΠΎΡΡ Π΄Π΅ΠΌΠΎΠ½Π°, ΠΎΠ½ Π½Π΅ Π±ΡΠ΄Π΅Ρ ΠΏΡΡΠ°ΡΡΡΡ ΠΈΠ½ΠΈΡΠΈΠΈΡΠΎΠ²Π°ΡΡ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ΅Π½ΠΈΡ.
nat_traversal on; # ΠΠΊΠ»ΡΡΠ°Π΅Ρ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΠ΅ ΡΠ΅ΠΆΠΈΠΌΠ° NAT-T Π΄Π»Ρ ΠΊΠ»ΠΈΠ΅Π½ΡΠΎΠ², Π΅ΡΠ»ΠΈ ΠΎΠ½ΠΈ Π·Π° NAT.
exchange_mode main; # Π Π΅ΠΆΠΈΠΌ ΠΎΠ±ΠΌΠ΅Π½Π° ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΠ°ΠΌΠΈ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ΅Π½ΠΈΡ, Π² Π΄Π°Π½Π½ΠΎΠΌ ΡΠ»ΡΡΠ°Π΅ ---ΡΠΎΠ³Π»Π°ΡΠΎΠ²Π°Π½ΠΈΠ΅.
my_identifier address 1.1.1.1; # ΠΠ΄Π΅Π½ΡΠΈΡΠΈΡΠΈΡΡΠ΅ΠΌ Π½Π°Ρ linux Ρ
ΠΎΡΡ ΠΏΠΎ Π΅Π³ΠΎ ip Π°Π΄ΡΠ΅ΡΡ.
certificate_type plain_rsa "server/server-name.priv.key"; # ΠΡΠΈΠ²Π°ΡΠ½ΡΠΉ ΠΊΠ»ΡΡ ΡΠ΅ΡΠ²Π΅ΡΠ°.
peers_certfile plain_rsa "mikrotik.pub.key"; # ΠΡΠ±Π»ΠΈΡΠ½ΡΠΉ ΠΊΠ»ΡΡ Mikrotik.
proposal_check claim; # Π Π΅ΠΆΠΈΠΌ ΡΠΎΠ³Π»Π°ΡΠΎΠ²Π°Π½ΠΈΡ ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΠΎΠ² ISAKMP ΡΡΠ½Π½Π΅Π»Ρ. Racoon Π±ΡΠ΄Π΅Ρ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡ Π·Π½Π°ΡΠ΅Π½ΠΈΡ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ°ΡΡΠ΅Π³ΠΎΡΡ Ρ
ΠΎΡΡΠ° (ΠΈΠ½ΠΈΡΠΈΠ°ΡΠΎΡΠ°) Π΄Π»Ρ ΡΡΠΎΠΊΠ° Π΄Π΅ΠΉΡΡΠ²ΠΈΡ ΡΠ΅ΡΡΠΈΠΈ ΠΈ Π΄Π»ΠΈΠ½Ρ ΠΊΠ»ΡΡΠ°, Π΅ΡΠ»ΠΈ Π΅Π³ΠΎ ΡΡΠΎΠΊ Π΄Π΅ΠΉΡΡΠ²ΠΈΡ ΡΠ΅ΡΡΠΈΠΈ Π±ΠΎΠ»ΡΡΠ΅, ΠΈΠ»ΠΈ Π΄Π»ΠΈΠ½Π° Π΅Π³ΠΎ ΠΊΠ»ΡΡΠ° ΠΊΠΎΡΠΎΡΠ΅, ΡΠ΅ΠΌ Ρ ΠΈΠ½ΠΈΡΠΈΠ°ΡΠΎΡΠ°. ΠΡΠ»ΠΈ ΡΡΠΎΠΊ Π΄Π΅ΠΉΡΡΠ²ΠΈΡ ΡΠ΅ΡΡΠΈΠΈ ΠΊΠΎΡΠΎΡΠ΅, ΡΠ΅ΠΌ Ρ ΠΈΠ½ΠΈΡΠΈΠ°ΡΠΎΡΠ°, racoon ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅Ρ ΡΠΎΠ±ΡΡΠ²Π΅Π½Π½ΠΎΠ΅ Π·Π½Π°ΡΠ΅Π½ΠΈΠ΅ ΡΡΠΎΠΊΠ° Π΄Π΅ΠΉΡΡΠ²ΠΈΡ ΡΠ΅ΡΡΠΈΠΈ ΠΈ Π±ΡΠ΄Π΅Ρ ΠΎΡΠΏΡΠ°Π²Π»ΡΡΡ ΡΠΎΠΎΠ±ΡΠ΅Π½ΠΈΠ΅ RESPONDER-LIFETIME.
proposal { # ΠΠ°ΡΠ°ΠΌΠ΅ΡΡΡ ISAKMP ΡΡΠ½Π½Π΅Π»Ρ.
encryption_algorithm aes; # ΠΠ΅ΡΠΎΠ΄ ΡΠΈΡΡΠΎΠ²Π°Π½ΠΈΡ ISAKMP ΡΡΠ½Π½Π΅Π»Ρ.
hash_algorithm sha512; # ΠΠ»Π³ΠΎΡΠΈΡΠΌ Ρ
Π΅ΡΠΈΡΠΎΠ²Π°Π½ΠΈΡ, ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΠΌΡΠΉ Π΄Π»Ρ ISAKMP ΡΡΠ½Π½Π΅Π»Ρ.
authentication_method rsasig; # Π Π΅ΠΆΠΈΠΌ Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ Π΄Π»Ρ ISAKMP ΡΡΠ½Π½Π΅Π»Ρ - ΠΏΠΎ RSA ΠΊΠ»ΡΡΠ°ΠΌ.
dh_group modp2048; # ΠΠ»ΠΈΠ½Π° ΠΊΠ»ΡΡΠ° Π΄Π»Ρ Π°Π»Π³ΠΎΡΠΈΡΠΌΠ° ΠΠΈΡΡΠΈ-Π₯Π΅Π»Π»ΠΌΠ°Π½Π° ΠΏΡΠΈ ΡΠΎΠ³Π»Π°ΡΠΎΠ²Π°Π½ΠΈΠΈ ISAKMP ΡΡΠ½Π½Π΅Π»Ρ.
lifetime time 86400 sec; ΠΡΠ΅ΠΌΡ Π΄Π΅ΠΉΡΡΠ²ΠΈΡ ΡΠ΅ΡΡΠΈΠΈ.
}
generate_policy on; # ΠΠ²ΡΠΎΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠ΅ ΡΠΎΠ·Π΄Π°Π½ΠΈΠ΅ ESP ΡΡΠ½Π½Π΅Π»Π΅ΠΉ ΠΈΠ· Π·Π°ΠΏΡΠΎΡΠ°, ΠΏΡΠΈΡΠ΅Π΄ΡΠ΅Π³ΠΎ ΠΎΡ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ°ΡΡΠ΅Π³ΠΎΡΡ Ρ
ΠΎΡΡΠ°.
}
sainfo anonymous { # ΠΠ°ΡΠ°ΠΌΠ΅ΡΡΡ ESP ΡΡΠ½Π½Π΅Π»Π΅ΠΉ, anonymous - ΡΠΊΠ°Π·Π°Π½Π½ΡΠ΅ ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΡ Π±ΡΠ΄ΡΡ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½Ρ ΠΊΠ°ΠΊ ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΡ ΠΏΠΎ ΡΠΌΠΎΠ»ΡΠ°Π½ΠΈΡ. ΠΠ»Ρ ΡΠ°Π·Π½ΡΡ
ΠΊΠ»ΠΈΠ΅Π½ΡΠΎΠ², ΠΏΠΎΡΡΠΎΠ², ΠΏΡΠΎΡΠΎΠΊΠΎΠ»ΠΎΠ² ΠΌΠΎΠΆΠ½ΠΎ Π·Π°Π΄Π°Π²Π°ΡΡ ΡΠ°Π·Π½ΡΠ΅ ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΡ, ΡΠΎΠΏΠΎΡΡΠ°Π²Π»Π΅Π½ΠΈΠ΅ ΠΏΡΠΎΠΈΡΡ
ΠΎΠ΄ΠΈΡ ΠΏΠΎ ip Π°Π΄ΡΠ΅ΡΠ°ΠΌ, ΠΏΠΎΡΡΠ°ΠΌ, ΠΏΡΠΎΡΠΎΠΊΠΎΠ»Π°ΠΌ.
pfs_group modp2048; # ΠΠ»ΠΈΠ½Π° ΠΊΠ»ΡΡΠ° Π΄Π»Ρ Π°Π»Π³ΠΎΡΠΈΡΠΌΠ° ΠΠΈΡΡΠΈ-Π₯Π΅Π»Π»ΠΌΠ°Π½Π° Π΄Π»Ρ ESP ΡΡΠ½Π½Π΅Π»Π΅ΠΉ.
lifetime time 28800 sec; # Π‘ΡΠΎΠΊ Π΄Π΅ΠΉΡΡΠ²ΠΈΡ ESP ΡΡΠ½Π½Π΅Π»Π΅ΠΉ.
encryption_algorithm aes; # ΠΠ΅ΡΠΎΠ΄ ΡΠΈΡΡΠΎΠ²Π°Π½ΠΈΡ ESP ΡΡΠ½Π½Π΅Π»Π΅ΠΉ.
authentication_algorithm hmac_sha512; # ΠΠ»Π³ΠΎΡΠΈΡΠΌ Ρ
Π΅ΡΠΈΡΠΎΠ²Π°Π½ΠΈΡ, ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΠΌΡΠΉ Π΄Π»Ρ Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ ESP ΡΡΠ½Π½Π΅Π»Π΅ΠΉ.
compression_algorithm deflate; # Π‘ΠΆΠΈΠΌΠ°ΡΡ ΠΏΠ΅ΡΠ΅Π΄Π°Π²Π°Π΅ΠΌΡΠ΅ Π΄Π°Π½Π½ΡΠ΅, Π°Π»Π³ΠΎΡΠΈΡΠΌ ΡΠΆΠ°ΡΠΈΡ ΠΏΡΠ΅Π΄Π»Π°Π³Π°Π΅ΡΡΡ ΡΠΎΠ»ΡΠΊΠΎ ΠΎΠ΄ΠΈΠ½.
}
uqwalaselo lwe mikrotik
Buyela kwicandelo "IP" - "IPsec"
"Iiprofayili" ithebhu
IParamu
Nentsingiselo
igama
Ngokwengqiqo yakho (ngokungagqibekanga)
Hash Algorithm
sha512
Uguqulelo oluntsonkothileyo
ees-128
Iqela le-DH
modp2048
Iproposhal_check
Kleyima
Ubomi bonke
1d 00:00:00
Ukuhanjiswa kweNAT
yinyani (jonga ibhokisi)
DPD
120
DPD Ubukhulu bokusilela
5
Ntanga tab
IParamu
Nentsingiselo
igama
Ngokwengqiqo yakho (emva koku kubhekiselwa kuyo njengeMyPeer)
idilesi
1.1.1.1 (oomatshini be-IP Linux)
Idilesi yendawo
10.0.0.2 (IP WAN interface mikrotik)
profayile
Engagqibekanga
Imo Yokutshintshana
eyona
I-Passive
amanga
Thumela u-INITIAL_CONTACT
oyinyaniso
Ithebhu yesindululo
IParamu
Nentsingiselo
igama
Ngokwengqiqo yakho (emva koku kubhekiselwa kuyo njengeMyPeerProposal)
Ububhali. Algorithms
sha512
Enncr. Algorithms
aes-128-cbc
Ubomi bonke
08:00:00
Iqela lePFS
modp2048
"Izazisi" ithebhu
IParamu
Nentsingiselo
Oontanga
Ntanga Yam
Atuh. Indlela
rsa isitshixo
isitshixo
mikrotik.privet.key
Isitshixo sokude
Igama lomncedisi.pub.pem
Iqela leSifanekiso sePolisi
Engagqibekanga
Notrack Chain
engenanto
Uhlobo lwesazisi sam
auto
Uhlobo lweSazisi olukude
auto
Tshatisa Ngu
id ekude
Uqwalaselo lweNdlela
engenanto
Yenza uMgaqo-nkqubo
hayi
Ithebhu "Imigaqo-nkqubo-Ngokubanzi"
IParamu
Nentsingiselo
Oontanga
Ntanga Yam
Ikhonkco
oyinyaniso
Src. Idilesi
192.168.0.0/30
Dest. Idilesi
192.168.0.0/30
Protocol
255 (bonke)
template
amanga
Ithebhu "Imigaqo-nkqubo-Isenzo"
IParamu
Nentsingiselo
inyathelo
kubhala
Nqanaba
umceli
IPsec Protocols
sp
Proposition
MyPeerProposal
Okunokwenzeka, njengam, une-snat/masquerade eqwalaselweyo kujongano lwakho lwe-WAN; lo mgaqo kufuneka uhlengahlengiswe ukuze iipakethi ze-ipsec eziphumayo zingene kwitonela yethu:
Yiya kwi "IP" - "Firewall" icandelo.
"NAT" ithebhu, vula umthetho wethu we-snat/masquerade.
iTab ekwinqanaba eliphezulu
IParamu
Nentsingiselo
IPsec Policy
ngaphandle: akukho
Ukuqalisa kwakhona idemon ye-racoon
sudo systemctl restart racoon
Ukuba i-racoon ayiqalisi ekuqaleni kwakhona, kukho impazamo kwi-config; kwi-syslog, i-racoon ibonisa ulwazi malunga nenombolo yomgca apho impazamo ifunyenwe khona.
Xa iibhutsi ze-OS, iracoon daemon iqala phambi kokuba ujongano lomsebenzi womnatha lunyuswe, kwaye sikhankanye i-strict_address ukhetho kwicandelo lokumamela; kufuneka udibanise iyunithi yeracoon kwifayile ye-systemd.
/lib/systemd/system/racoon.service, kwicandelo [Iyunithi], umgca After=network.target.
Ngoku iitonela zethu ze-ipsec kufuneka ziphakame, jonga isiphumo:
sudo ip xfrm policy
src 192.168.255.0/30 dst 192.168.255.0/30
dir out priority 2147483648
tmpl src 1.1.1.1 dst "IP NAT ΡΠ΅ΡΠ΅Π· ΠΊΠΎΡΠΎΡΡΠΉ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ°Π΅ΡΡΡ mikrotik"
proto esp reqid 0 mode tunnel
src 192.168.255.0/30 dst 192.168.255.0/30
dir fwd priority 2147483648
tmpl src "IP NAT ΡΠ΅ΡΠ΅Π· ΠΊΠΎΡΠΎΡΡΠΉ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ°Π΅ΡΡΡ mikrotik" dst 1.1.1.1
proto esp reqid 0 mode tunnel
src 192.168.255.0/30 dst 192.168.255.0/30
dir in priority 2147483648
tmpl src "IP NAT ΡΠ΅ΡΠ΅Π· ΠΊΠΎΡΠΎΡΡΠΉ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ°Π΅ΡΡΡ mikrotik" dst 1.1.1.1
proto esp reqid 0 mode tunnel
Ukuba amatonela akaphakamanga, jonga i-syslog, okanye i-journalctl -u racoon.
Ngoku kufuneka uqwalasele i-L3 interfaces ukuze itrafikhi ihambe. Kukho iinketho ezahlukeneyo, siya kusebenzisa i-IPIP, ekubeni i-mikrotik iyayixhasa, ndiya kusebenzisa i-vti, kodwa, ngelishwa, ayikaphunyezwa kwi-mikrotik. Ihluke kwi-IPIP ngokuba iyakwazi ukongeza i-multicast kwaye ifake ii-fwmarks kwiipakethi, apho zinokuthi zihluzwe kwiiptables kunye ne-iproute2 (umgaqo-nkqubo osekelwe kumgaqo-nkqubo). Ukuba ufuna ukusebenza okuphezulu, ngoko, umzekelo, GRE. Kodwa ungakulibali ukuba sihlawula umsebenzi owongezelelweyo ngentloko enkulu.
Ungalubona uguqulelo lophononongo olulungileyo lwemidibaniso yetonela
Kwi Linux:
# Π‘ΠΎΠ·Π΄Π°Π΅ΠΌ ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡ
sudo ip tunnel add ipip-ipsec0 local 192.168.255.1 remote 192.168.255.2 mode ipip
# ΠΠΊΡΠΈΠ²ΠΈΡΡΠ΅ΠΌ
sudo ip link set ipip-ipsec0 up
# ΠΠ°Π·Π½Π°ΡΠ°Π΅ΠΌ Π°Π΄ΡΠ΅Ρ
sudo ip addr add 192.168.255.1/30 dev ipip-ipsec0
Ngoku unokongeza iindlela zothungelwano ngasemva kwe mikrotik
sudo ip route add A.B.C.D/Prefix via 192.168.255.2
Ukuze ujongano lwethu kunye neendlela ziphakanyiswe emva kokuqaliswa kwakhona, kufuneka sichaze i-interface kwi / etc / network / interfaces kwaye songeze iindlela apho kwi-post-up, okanye ubhale yonke into kwifayile enye, umzekelo, /etc/ ipip-ipsec0.conf kwaye uyitsale nge-post-up, ungalibali malunga nomnini wefayile, amalungelo kwaye uyenze iphunyezwe.
Ngezantsi ngumzekelo wefayile
#!/bin/bash
ip tunnel add ipip-ipsec0 local 192.168.255.1 remote 192.168.255.2 mode ipip
ip link set ipip-ipsec0 up
ip addr add 192.168.255.1/30 dev ipip-ipsec0
ip route add A.B.C.D/Prefix via 192.168.255.2
KwiMikrotik:
Icandelo "IiNdibaniselwano", yongeza ujongano olutsha "itonela ye-IP":
Ithebhu "Itonela ye-IP" - "Ngokubanzi"
IParamu
Nentsingiselo
igama
Ngokwengqiqo yakho (emva koku kubhekiselwa kuyo njenge-IPIP-IPsec0)
UMNTU
1480 (ukuba ayichazwanga, i-mikrotik iqala ukusika umntu ukuya kuma-68)
Idilesi yendawo
192.168.0.2
Idilesi ekude
192.168.0.1
IPsec Imfihlo
Yenza intsimi ingasebenzi (kungenjalo kuyakwenziwa uMlingane omtsha)
Gcina
Yenza intsimi ingasebenzi (kungenjalo ujongano luyacima rhoqo, kuba i mikrotika inefomathi yayo yezi phakheji kwaye ayisebenzi nge Linux)
I-DSCP
ilifa
Musa ukuqhekeza
hayi
Bamba TCP MSS
oyinyaniso
Vumela umendo okhawulezayo
oyinyaniso
Icandelo "IP" - "Iidilesi", yongeza idilesi:
IParamu
Nentsingiselo
idilesi
192.168.0.2/30
ujongano
IPIP-IPsec0
Ngoku unokongeza iindlela kuthungelwano ngasemva komatshini weLinux; xa usongeza indlela, isango liya kuba yi IPIP-IPsec0 yethu yojongano.
PS
Kuba iseva yethu yeLinux iyatshintsha, iyavakala ukuseta iparameter yeClamp TCP MSS yojongano lweipip kuyo:
yenza ifayile /etc/iptables.conf ngeziqulatho zilandelayo:
*mangle
-A POSTROUTING -o ipip+ -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
kwaye kwi/etc/network/interfaces
post-up iptables-restore < /etc/iptables.conf
Ndine nginx esebenza kuthungelwano ngasemva kwe-mikrotik (ip 10.10.10.1), yenza ukuba ifikeleleke kwi-Intanethi, yongeze kuyo /etc/iptables.conf:
*nat
-A PREROUTING -d 1.1.1.1/32 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 10.10.10.1
#ΠΠ° mikrotik, Π² ΡΠ°Π±Π»ΠΈΡΠ΅ mangle, Π½Π°Π΄ΠΎ Π΄ΠΎΠ±Π°Π²ΠΈΡΡ ΠΏΡΠ°Π²ΠΈΠ»ΠΎ route Ρ Π½Π°Π·Π½Π°ΡΠ΅Π½ΠΈΠ΅ΠΌ 192.168.0.1 Π΄Π»Ρ ΠΏΠ°ΠΊΠ΅ΡΠΎΠ² Ρ Π°Π΄ΡΠ΅ΡΠΎΠΌ ΠΈΡΡΠΎΡΠ½ΠΈΠΊΠ° 10.10.10.1 ΠΈ ΠΏΠΎΡΡΠΎΠ² 80, 443.
# Π’Π°ΠΊ ΠΆΠ΅ Π½Π° linux ΡΠ°Π±ΠΎΡΠ°Π΅Ρ OpenVPN ΡΠ΅ΡΠ²Π΅Ρ 172.16.0.1/24, Π΄Π»Ρ ΠΊΠ»ΠΈΠ΅Π½ΡΠΎΠ² ΠΊΠΎΡΠΎΡΡΠ΅ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΡΡ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ΅Π½ΠΈΠ΅ ΠΊ Π½Π΅ΠΌΡ Π² ΠΊΠ°ΡΠ΅ΡΡΠ²Π΅ ΡΠ»ΡΠ·Π° Π΄Π°Π΅ΠΌ Π΄ΠΎΡΡΡΠΏ Π² ΠΈΠ½ΡΠ΅ΡΠ½Π΅Ρ
-A POSTROUTING -s 172.16.0.0/24 -o eth0 -j SNAT --to-source 1.1.1.1
COMMIT
Ungalibali ukongeza iimvume ezifanelekileyo kwiiptables ukuba unezihlungi zepakethi ezisebenzayo.
Si kelela!
umthombo: www.habr.com